use empty placeholder KEYDATA records for all trust anchors, not just DS-style trust anchors. this revealed a pre-existing bug: keyfetch_done() skips keys without the SEP bit when populating the managed-keys zone. consequently, if a zone only has a single ZSK which is configured as trust anchor and no KSKs, then no KEYDATA record is ever written to the managed-keys zone when keys are refreshed. that was how the root server in the dnssec system test was configured. however, previously, the KEYDATA was created when the key was initialized; this prevented us from noticing the bug until now. configuring a ZSK as an RFC 5011 trust anchor is not forbidden by the spec, but it is highly unusual and not well defined. so for the time being, I have modified the system test to generate both a KSK and ZSK for the root zone, enabling the test to pass. we should consider adding code to detect this condition and allow keys without the SEP bit to be used as trust anchors if no key with the SEP bit is available, or at minimum, log a warning.
Showing with 41 additions and 104 deletions